HIPAA Risk Assessments - Do You Need One?


HIPAA Risk Assessments -

Do You Need One?

The average cost of a healthcare data breach in the United States in 2014 was $6.5 million according to a recent report by The Ponemon Institute. In addition, criminal hackers more than doubled their attacks on healthcare companies over the past five years. Proactively addressing risk assessments and data security before a breach occurs is more important today than ever especially when you look at the costs associated with a breach investigation, breach notifications, government investigations, government fines, continued government monitoring pursuant to an HHS imposed corrective action plan, and defending lawsuits related to the breach. Documenting a program of continued risk assessment for compliance with the HIPAA security and privacy rules will help your organization reduce the risk of a breach, the fines under HIPAA, and the costs associated with a breach.

Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. Risk Assessments are a required for compliance with HIPAA (Security Rule) that helps to identify what risks and vulnerabilities exist in the environment and manage those risks and vulnerabilities effectively. HIPAA risk assessments are a cornerstone of an effective HIPAA security program in properly securing electronic Protected Health Information (ePHI). Below are a few simple steps you can do to remain compliant with HIPAA's Security Rule.

1. Identify all of the ePHI within the organization.

In many cases, risk assessments tend to identify where PHI "should be" and not "could be". The problem is that companies assume risk can be assessed just by looking into their Electronic Health Records (EHR) implementations that handle PHI. This narrow view fails to take into account the possibility of PHI existing in other systems besides EHR, and in order to be effective, the risk assessment needs to thoroughly consider the chances of PHI on a variety of storage devices. Thumb drives, local hard drives, email, mobile devices, and fax and copiers are often overlooked as places that ePHI could intentionally or unintentionally reside and be at risk.

2. Determine the risk analysis frequency

One of the most prevalent challenges in complying with the HIPAA Security Rule's risk analysis requirement is determining the frequency or triggering conditions for performing a risk analysis. The HIPAA Security Rule and 2010 OCR risk analysis guidance state that risk analysis should be "ongoing" to document and update security measures as needed. The security rule states that continuous risk analysis should be completed to identify when updates are needed. OCR guidance notes that the frequency of performance will vary among covered entities. Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every three years) depending on circumstances of their environment. Typically, covered entities that are attesting to Meaningful Use and complying with the spirit of the security rule will conduct an annual HIPAA risk assessment.

3. Be objective during reviews of processes and controls.

As hard as it sounds, the risk assessment should be seen as an opportunity to look at the organization and objectively identify areas for improvement. Often times, this means management will be looking at processes they've designed and have worked with for years. It's important to use the risk assessment to identify gaps and strengthen controls, not try to just "justify" that the existing controls are "good enough" or "aren't going to change". The risk assessment is also an excellent opportunity to gain executive buy-in so the management team understands they are supported in efforts to improve controls.

4. Follow through on remediation plans.

It takes a lot of effort to properly conduct a HIPAA risk assessment and plan to remediate the gaps identified. Continuously following through on the remediation plans can also be difficult but is necessary to make sure all gaps are closed. Organizations often "lose steam" after the risk assessment and efforts may get diverted to other projects. It is important to setup periodic status meetings to ensure remediation efforts are continued.

5. Tackle "low hanging fruit".

Some organizations try to tackle the biggest and most challenging problems first when they identify weakness from their risk assessment, and it's common that the management team will want to direct everyone's attention on remedying the most egregious issues. However, there are many instances where huge progress can be had by taking care of some of the simpler problems. A few of the easier steps that tend to be overlooked include: identifying a HIPAA Security Officer, HIPAA Awareness Training, and vendor/contractor management policies. These changes tend to have a pervasive effect throughout the organization, and will often help with progress in other areas.

6. Consider which HIPAA risk assessment tool is best for your organization.

The OCR highlights two tools in its 2010 guidance that provide a framework for risk assessment:

Security Risk Assessment Tool (SRA) - developed by the Office of the National Coordinator for Healthcare Information Technology (ONC). The ONC's SRA user guide walks users through 156 questions with resources to help understand the context of each question. It also allows users to factor in the likelihood and impact to ePHI in the organization. The tool functions on mobile devices as well. It can be downloaded from HealthIT.gov. The tool is geared towards smaller practices and while a good starting point, it does not take into consideration many of the complexities of larger organizations.

Risk Assessment Toolkit - developed by a team of Health Information Management Systems Society (HIMSS) professionals. The HIMSS Risk Assessment guide and data collection matrix contains a PDF user guide, Excel workbooks with NIST risk analysis references, application and hardware inventory workbooks, HIPAA Security Rule standards, implementation specifications and a defined safeguards workbook. The safeguards are numbered 1-92 and correspond to the Security Scorecard workbook. The scorecard differentiates numbered safeguard components to be assessed for the organization, by department and within applications that contain ePHI. The HIMSS Risk Assessment toolkit is available at: https://www.himss.org/himss-security-risk-assessment-guidedata-collection-matrix. The tool includes NIST Special Publication 800-30 Revision 1 guidance for completing a risk assessment.


Healthcare organizations must implement strong data security safeguards. Doing so supports compliance with the HIPAA Security Rule, reduces risk and helps ensure the confidentiality, integrity and availability of the ePHI the organization creates, receives, maintains or transmits. Conducting internal risk analysis along with annual risk assessments that leverage a professional services provider every other year also reduces risk and maximizes the value of the resources engaged. Finally, leveraging an industry standard toolkit will help your organization be comfortable with conducting self-assessments on alternating years while saving time and money.

For more information, please enter your information below: